[Date Prev][Date Next] [Chronological] [Thread] [Top]

Dogtag CA with OpenLDAP?

To: openldap-technical@openldap.org
Subject: Dogtag CA with OpenLDAP?
From: Turbo Fredriksson <turbo@bayour.com>
Date: Mon, 27 Mar 2017 17:05:52 +0100
Authorized-sender: turbo@bayour.com

I’m trying to implement Dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page)
with my existing OpenLDAP/MIT Kerberos V installation (that’s been running for years).

But it’s failing because of:

    [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: confirmMappings: Checking other subtrees using database Domain.TLD-CA.
    [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: populateDB: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config
    [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: Error in populating database: Failed to check database mapping: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config

Dogtag is only (officially) supporting 389ds, but installing (and maintaining!) another
LDAP/Krb5 server(s) on the network just seems … “wrong”! :)


The code looks like:

https://github.com/dogtagpki/pki/blob/DOGTAG_10_2_6_BRANCH/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java#L1528-L1553

Basically, it looks for “nssldap-backend=Domain.TLD-CA” below “cn=mapping tree,cn=config”
(which don’t exists in OpenLDAP of course).


Is there any “389ds compatibility module” or possibly a DN rewrite hack I could use
for this? I’ve never used “389ds” before, so I’m unsure what that object is supposed
to look like, or what “cn=mapping tree” is for exactly..

Follow-Ups:
- Re: Dogtag CA with OpenLDAP?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Large user bases cause huge number of roleOccupant in role organizationalRole
Next by Date: Re: OpenLDAP Tutorial on YouTube Channel
Index(es):
- Chronological
- Thread